Warning:  Due to planned infrastructure maintenance, the EBRAINS Wiki and EBRAINS Support system will be unavailable for up to three days starting Monday, 14 July. During this period, both services will be inaccessible, and any emails sent to the support address will not be received.

Attention: We are currently experiencing some issues with the EBRAINS Drive. Please bear with us as we fix this issue. We apologise for any inconvenience caused.


Last modified by messines on 2022/05/25 10:11
From version 5.1
edited by messines
on 2021/03/18 12:17
Change comment: There is no comment for this version
To version 1.1
edited by villemai
on 2020/05/04 16:15
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -1. Registering an OIDC client
1 +Registering an OIDC client
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.messines
1 +XWiki.villemai
Content
... ... @@ -1,34 +13,13 @@
1 -== Must read before starting ==
2 -
3 -It's very important to choose the right type of clients and to understand the various OAuth flows.
4 -
5 -A very good documentation is this one :
6 -
7 -[[https:~~/~~/auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use>>url:https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use]]
8 -
9 -and another one
10 -
11 -[[https:~~/~~/dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho>>url:https://dzone.com/articles/the-right-flow-for-the-job-which-oauth-20-flow-sho]]
12 -
13 13  == Creating your OpenID Connect client ==
14 14  
15 -The steps to create an OpenID Connect (OIDC) client are the following:
3 +The steps to create an OpenID Connect client are the following:
16 16  
17 -1. Ask the developer accreditation to be authorize to create client
18 18  1. get an access token from the `developer` client
19 -1. save your registration access token for further modifications of your client
20 20  1. use the token to call the create endpoint
7 +1. save your registration access token for further modifications of your client
21 21  
22 -Note that a Jupyter Notebook notebook is available in the Drive of this collab to help you create and modify your OIDC client. Its name is: **//Managing an OpenID Connect client.ipynb//** [add link]
9 +Note that a [[notebook>>url:https://lab.ebrains.eu/user-redirect/lab/tree/drive/Shared%20with%20all/Collaboratory%20Community%20Apps/Managing%20an%20OpenID%20Connect%20client.ipynb]] is available to help you create and modify your OIDC client.
23 23  
24 -=== Ask for developer accreditation ===
25 -
26 -To be authorize to create an OIDC client you have to be accredited as developer.
27 -
28 -Please go on this page and "Request to join" the group [[https:~~/~~/wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam~~-~~-service-providers>>https://wiki.ebrains.eu/bin/view/Identity/#/groups/app-collaboratory-iam--service-providers]]
29 -
30 -We will quickly process your request and you will be able to create an OIDC client
31 -
32 32  === Fetching your developer access token ===
33 33  
34 34  Getting your developer token is done in one simple step: authenticate against the developer client with the password grant.
... ... @@ -37,8 +37,8 @@
37 37  
38 38  {{code language="bash"}}
39 39  # Gather username and password from user
40 -read -p 'Enter your username: ' clb_dev_username
41 -read -s -p 'Enter your password: ' clb_dev_pwd
19 +echo '\nEnter your username' && read clb_dev_username &&
20 +echo '\nEnter your password' && read -s clb_dev_pwd &&
42 42  
43 43  # Fetch the token
44 44  curl -X POST https://iam.ebrains.eu/auth/realms/hbp/protocol/openid-connect/token \
... ... @@ -46,12 +46,12 @@
46 46   -d 'grant_type=password' \
47 47   --data-urlencode "username=${clb_dev_username}" \
48 48   --data-urlencode "password=${clb_dev_pwd}" |
28 +
29 +# Prettify the JSON response
30 +json_pp;
49 49  
50 -# and pretty-print the JSON response
51 -json_pp
52 -
53 53  # Erase the credentials from local variables
54 -clb_dev_pwd=''; clb_dev_username=''
33 +clb_dev_pwd='';clb_dev_username=''
55 55  {{/code}}
56 56  
57 57  The response will be similar to:
... ... @@ -69,7 +69,7 @@
69 69  }
70 70  {{/code}}
71 71  
72 -Store a copy of the "access_token" value. You will need if for the next step.
51 +Copy the "access_token" value, you will need if for the next step.
73 73  
74 74  === Creating the client ===
75 75  
... ... @@ -77,7 +77,7 @@
77 77  
78 78  {{code language="bash"}}
79 79  # Set your developer token
80 -clb_dev_token="eyJhbGci..."
59 +clb_dev_token=...
81 81  
82 82  # Send the creation request
83 83  curl -X POST https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/ \
... ... @@ -104,7 +104,7 @@
104 104   }
105 105   }' |
106 106  
107 -# Pretty print the JSON response
86 +# Prettify the JSON response
108 108  json_pp;
109 109  {{/code}}
110 110  
... ... @@ -156,7 +156,7 @@
156 156  
157 157  Among all the attributes, you should securely save:
158 158  
159 -* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making back-end calls
138 +* your client **secret** ("secret" attribute): it is needed by your application to **authenticate to the IAM server** when making backend calls
160 160  * your client **registration access token** ("registrationAccessToken"): you will need it to authenticate when **modifying your client in the future**
161 161  
162 162  === Modifying your client ===
... ... @@ -165,15 +165,14 @@
165 165  
166 166  {{code language="bash"}}
167 167  # Set your registration token and client id
168 -clb_reg_token="eyJhbGciOi..."
169 -clb_client_id="my-awesome-client"
147 +clb_reg_token=...
170 170  
171 -# Update the client. Note that the client ID appears both in the endpoint URL and in the body of the request.
172 -curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/${clb_client_id} \
149 +# Update the client
150 +curl -X PUT https://iam.ebrains.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
173 173   -H "Authorization: Bearer ${clb_reg_token}" \
174 174   -H 'Content-Type: application/json' \
175 175   -d '{
176 - "clientId": "'${clb_client_id}'",
154 + "clientId": "my-awesome-client",
177 177   "redirectUris": [
178 178   "/relative/redirect/path",
179 179   "/these/can/use/wildcards/*",
... ... @@ -181,13 +181,15 @@
181 181   ]
182 182   }' |
183 183  
184 -# Pretty print the JSON response
185 -json_pp
186 -
162 +# Prettify the JSON response
163 +json_pp;
187 187  {{/code}}
188 188  
189 189   Note that your need to provide your client id both in the endpoint URL and within the body of the request.
190 190  
191 191  {{warning}}
192 -**⚠  Each time you modify your client, a new registration access token is generated. You need to keep track of your latest token to keep access to your client.  **
169 +/!\ ** Each time you modify your client, a new registration access token will be generated. You need to keep track of your token changes to keep access to your client.   **/!\
193 193  {{/warning}}
171 +
172 +(% class="wikigeneratedid" id="HH4Won27tAppearinToC" %)
173 +
Table of content